首頁 探索 說明
登入
richard
/
sorbetcms
關註 1
收藏 0
複製 1
程式碼 問題管理 0 合併請求 0 提交歷史 290 版本發佈 0 Wiki
瀏覽代碼

* Sanitize data entries for install gelato

Victor De la Rocha 15 年之前
父節點
071d50e367
當前提交
25f1c98695
共有 2 個文件被更改,包括 9 次插入10 次删除
分割檢視 顯示文件統計
  1. 4 5
      classes/install.class.php
  2. 5 5
      install.php

+ 4 - 5
classes/install.class.php 查看文件 

@@ -120,14 +120,13 @@ class Install {
120 120 
 			PRIMARY KEY  (`id_feed`)
121 121 
 			) ENGINE=MyISAM ;";
122 122
123 
-
124 
-		$sqlStr[] = "INSERT INTO `".Table_prefix."config` VALUES (". $this->data['posts_limit'] .", '".$this->data['title']."', '".$this->data['description']."', '".$this->data['lang']."', '".$this->data['template']."', '".$this->data['url_installation']."');";
125 
-		$sqlStr[] = "INSERT INTO `".Table_prefix."users` VALUES ('', '', '".$this->data['login']."', '".md5($this->data['password'])."', '".$this->data['email']."', '".$this->data['website']."', '".$this->data['about']."');";
123 
+		$sqlStr[] = "INSERT INTO `".Table_prefix."config` VALUES (". $db->sql_escape($this->data['posts_limit']).", '".$db->sql_escape($this->data['title'])."', '".$db->sql_escape($this->data['description'])."', '".$db->sql_escape($this->data['lang'])."', '".$db->sql_escape($this->data['template'])."', '".$db->sql_escape($this->data['url_installation'])."');";
124 
+		$sqlStr[] = "INSERT INTO `".Table_prefix."users` VALUES ('', '', '".$db->sql_escape($this->data['login'])."', '".md5($this->data['password'])."', '".$db->sql_escape($this->data['email'])."', '".$db->sql_escape($this->data['website'])."', '".$db->sql_escape($this->data['about'])."');";
126 125 
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('url_friendly', '0');";
127 126 
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('rich_text', '0');";
128 127 
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('allow_comments', '0');";
129 
-		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_city', '".$this->data['offset_city']."');";
130 
-		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_time', '".$this->data['offset_time']."');";
128 
+		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_city', '".$db->sql_escape($this->data['offset_city'])."');";
129 
+		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_time', '".$db->sql_escape($this->data['offset_time'])."');";
131 130 
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('shorten_links', '0');";
132 131 
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('rss_import_frec', '5 minutes');";
133 132 
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('check_version', '1');";

+ 5 - 5
install.php 查看文件 

@@ -63,7 +63,7 @@ $install->check_form();
63 63 
 					<legend class="install">Database Settings</legend>
64 64 
 					<ul>
65 65 
 						<li><label for="login">User:</label>
66 
-							<input type="text" name="db_login" id="db_login" value="<?php echo $install->data['db_login']?>" class="txt"/><?php echo $install->mostrarerror("10")?></li>
66 
+							<input type="text" name="db_login" id="db_login" value="<?php echo isset($install->data['db_login'])?$install->data['db_login']:''?>" class="txt"/><?php echo $install->mostrarerror("10")?></li>
67 67 
 						<li><label for="password">Password:</label>
68 68 
 							<input type="password" name="db_password" id="db_password" value="" class="txt"/></li>
69 69 
 						<li><label for="password2">Re-type password:</label>

@@ -78,22 +78,22 @@ $install->check_form();
78 78 
 					<legend class="install">Admin user</legend>
79 79 
 					<ul>
80 80 
 						<li><label for="login">User:</label>
81 
-							<input type="text" name="login" id="login" value="<?php echo $install->data['login']?>" class="txt"/><?php echo $install->mostrarerror("1")?></li>
81 
+							<input type="text" name="login" id="login" value="<?php echo isset($install->data['login'])?$install->data['login']:''?>" class="txt"/><?php echo $install->mostrarerror("1")?></li>
82 82 
 						<li><label for="password">Password:</label>
83 83 
 							<input type="password" name="password" id="password" value="" class="txt"/><?php echo $install->mostrarerror("2")?></li>
84 84 
 						<li><label for="password2">Re-type password:</label>
85 85 
 							<input type="password" name="password2" id="password2" value="" class="txt"/><?php echo $install->mostrarerror("3")?></li>
86 86 
 						<li><label for="email">E-mail:</label>
87 
-							<input type="text" name="email" id="email" value="<?php echo $install->data['email']?>" class="txt"/><?php echo $install->mostrarerror("4")?></li>
87 
+							<input type="text" name="email" id="email" value="<?php echo isset($install->data['email'])?$install->data['email']:''?>" class="txt"/><?php echo $install->mostrarerror("4")?></li>
88 88 
 					</ul>
89 89 
 				</fieldset><br  />
90 90 
 				<fieldset class="install">
91 91 
 					<legend class="install">Tumblelog configuration</legend>
92 92 
 					<ul>
93 93 
 						<li><label for="title">Title:</label>
94 
-							<input type="text" name="title" id="title" value="<?php echo $install->data['title']?>" class="txt"/></li>
94 
+							<input type="text" name="title" id="title" value="<?php echo isset($install->data['title'])?$install->data['title']:''?>" class="txt"/></li>
95 95 
 						<li><label for="description">Description:</label>
96 
-							<input type="text" name="description" id="description" value="<?php echo $install->data['description']?>" class="txt"/></li>
96 
+							<input type="text" name="description" id="description" value="<?php echo isset($install->data['description'])?$install->data['description']:''?>" class="txt"/></li>
97 97 
 						<li><label for="url_installation">Installation URL</label>
98 98 
 							<input type="text" name="url_installation" id="url_installation" value="<?php if(isset($_SERVER['SCRIPT_URI']))echo substr($_SERVER["SCRIPT_URI"], '0', '-12'); ?>" class="txt"/><?php echo $install->mostrarerror("5")?></li>
99 99 
 						<li><label for="posts_limit">Post limit:</label>